debug crypto isakmp please let us know some of debug messages when you initiate traffic .
Date: Sun, 9 Oct 2011 22:01:46 +0530 From: [email protected] To: [email protected] Subject: [OSL | CCIE_Security] Site to site VPN using CA Hi All, Network Diagram, lo1-----R1(10.1.1.1)--------(10.1.1.2)R2(20.1.1.2)-----------(20.1.1.1)R3---lo3 loop2 for NTP Server I am creating site to site tunnel between R1 and R3 by using CA.but it is not working. where loop1 and loop3 are the intresting traffic with respected routers. R1 and R3 are authenticated and enrolled with CA server lo2. -----------------------------------------------------------------------------------R1 config--------------------------------------------------------------------------------------- crypto pki trustpoint R3 enrollment url http://2.2.2.2:80 subject-name CN = R3.cisco.com revocation-check crl rsakeypair R3.cisco.com crypto pki certificate chain R3 certificate ca 01 30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 quit crypto isakmp policy 10 encr aes group 2crypto isakmp identity dn!!crypto ipsec transform-set TSET esp-aes esp-sha-hmac !crypto map MAP 10 ipsec-isakmp set peer 20.1.1.1 set transform-set TSET match address ACS!!!ip ssh version 1! !!!interface Loopback1 ip address 1.1.1.1 255.255.255.0!interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 duplex auto speed auto crypto map MAP router eigrp 1 network 10.0.0.0 no auto-summary!ip forward-protocol ndip route 1.1.1.0 255.255.255.0 10.1.1.2 !!ip http serverno ip http secure-server!ip access-list extended ACS permit ip host 1.1.1.1 host 3.3.3.3 ntp authentication-key 1 md5 13061E010803 7 ntp authenticatentp trusted-key 1ntp clock-period 17179880ntp server 2.2.2.2-----------------------------------------------------------------------R2 Config ----------------------------------------------------------------------- crypto pki server R2 database level complete database archive pem password 7 060506324F41584B56 issuer-name CN = R2 CA Server,L = London,ST = MI cdp-url http://2.2.2.2/cgi-bin/pkiclient.exe?operation=GetCRL database url flash: !crypto pki trustpoint R2 revocation-check crl rsakeypair R2.cisco.com !crypto pki certificate chain R2 certificate ca 01 30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 quit interface FastEthernet0/0 ip address 10.1.1.2 255.255.255.0 duplex auto speed auto!interface FastEthernet0/1 ip address 20.1.1.2 255.255.255.0 duplex auto speed auto!router eigrp 1 network 2.0.0.0 network 10.0.0.0 network 20.0.0.0 no auto-summary!ip forward-protocol nd!!ip http serverno ip http secure-server ntp authentication-key 1 md5 14141B180F0B 7ntp authenticatentp trusted-key 1ntp source Loopback0ntp master 2 -------------------------------------------------------------------- R3 Config-------------------------------------------------------------------- crypto pki trustpoint R3 enrollment url http://2.2.2.2:80 subject-name CN = R3.cisco.com revocation-check crl rsakeypair R3.cisco.com crypto pki certificate chain R3 certificate ca 01 30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 4B201CC6 E7 quit crypto isakmp policy 10 encr aes group 2crypto isakmp identity dn!!crypto ipsec transform-set TSET esp-aes esp-sha-hmac!crypto map MAP 10 ipsec-isakmp set peer 10.1.1.1 set transform-set TSET match address ACS interface Loopback3 ip address 3.3.3.3 255.255.255.0!interface FastEthernet0/0 no ip address shutdown duplex auto speed auto!interface FastEthernet0/1 ip address 20.1.1.1 255.255.255.0 duplex auto speed auto crypto map MAP !router eigrp 1 network 20.0.0.0 no auto-summary!ip forward-protocol ndip route 3.3.3.0 255.255.255.0 20.1.1.2!!ip http server no ip http secure-server!ip access-list extended ACS permit ip host 3.3.3.3 host 1.1.1.1 ntp authentication-key 1 md5 00071A150754 7ntp authenticate ntp trusted-key 1ntp clock-period 17179821ntp server 2.2.2.2! _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
